Design Flaw Found in .NET Framework

Even though it took only hours for security experts to discover a vulnerability in Microsoft's newly released security enhancement, the report's author says Microsoft developers should be "commended" for their attitude and approach to security.

On Wednesday morning, Microsoft (NASDAQ:MSFT) released a new security
enhancement for Visual C++.NET and Visual C++ 7 to prevent source code from
buffer overflow attacks. Hours later, a Dulles, Va.-based software risk management outfit was on the phone with Microsoft explaining the design flaw
in the new security enhancement.

He said officials were very receptive to the phone call, made a day before
Cigital released the design flaw to the world, and thinks developers are
already working on a fix for future releases.

McGraw says it was relatively easy to detect the vulnerability because
Microsoft uses a security approach based on StackGuard, a piece of code
that lets developers set a "security error handler" function in their
program to give an alert in the event of a possible attack.

Unfortunately, there are several workarounds to the StackGuard approach
that are well known in the hacker community.

"StackGuard has been shown to be susceptible to certain attacks in the
past," McGraw said. "Unfortunately, Microsoft didn't figure that out, or
didn't read those reports and they implemented a flawed version of this
approach.

"The flaw itself cannot be actively exploited today by attackers," he
continued. "So it's not like saying, 'You're Web server's broken, everyone
panic,' instead there's a flaw in a tool for producing software. In this
case, the flaw was a little subtle, so it's not like today a bunch of
script kiddies can run out and knock over Web servers because of the flaw."

What's particularly embarrassing to Microsoft is how fast the vulnerability
was found, this after Bill Gates, Microsoft founder and chief software
officer, said the software giant now has a new
commitment to software security and producing bug-free applications.

In a sweeping email memo to employees at the Redmond, WA-based company,
Gates said the future of Microsoft is dependent on the quality of product
they produce.

"As software has become ever more complex, interdependent and
interconnected, our reputation as a company has in turn become more
vulnerable," the email said. "Flaws in a single Microsoft product, service
or policy not only affect the quality of our platform and services overall,
but also our customers' view of us as a company."

McGraw doesn't see Wednesday's discovered flaw as justification for
scrapping .Net and writing Microsoft off as a software solution, just the
opposite, in fact.

"The fact is, Microsoft is doing the right thing and they should be
commended," he said. "They have the right attitude and they're working
hard to teach their developers to do the right thing. The problem is that
software security is hard, and finding risks and vulnerabilities,
especially at the design level, is a real challenge."